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Abstract. Circumscription is a representative example of a nonmonoto- 
nic reasoning inference technique. Circumscription has often been stud- 
ied for first order theories, but its propositional version has also been the 
subject of extensive research, having been shown equivalent to extended 
■ closed world assumption (ECWA). Moreover, entailment in propositional 

' circumscription is a well-known example of a decision problem in the 

O ■ second level of the polynomial hierarchy. This paper proposes a new 

Boolean Satisfiability (SAT)-based algorithm for entailment in proposi- 
tional circumscription that explores the relationship of propositional cir- 
cumscription to minimal models. The new algorithm is inspired by ideas 
\^») ' commonly used in SAT-based model checking, namely counterexample 

( guided abstraction refinement. In addition, the new algorithm is refined 

QO . to compute the theory closure for generalized close world assumption 

' (GCWA). Experimental results show that the new algorithm can solve 

. problem instances that other solutions are unable to solve. 
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1 Introduction 

Closed world reasoning (CWR) and circumscription (CIRC) are well-known non- 
monotonic reasoning techniques, that find a wide range of practical applications. 
Part of the interest in these techniques is that they bring us closer to how hu- 
mans reason [15,17,16]. While these techniques have been studied in the context 
of both first-order and propositional logic, this paper addresses the propositional 
case. Research directions that have characterized the study of nonmonotonic 
reasoning techniques include expressiveness, computational complexity, applica- 
tions and algorithms. The different CWR rules proposed in the late 70s and 80s 
illustrate the evolution in terms of expressive power in first-order and propo- 
sitional logics. The computational complexity of propositional CWR rules was 
studied in the early 90s [1,6] and showed that, with few exceptions, the com- 
plexity of CWR deduction problems are in the second level of the polynomial 
hierarchy, being TTl'-complete [6]. Nonmonotonic reasoning finds a wide range 
of applications in Artificial Intelligence (AI), but also in description logics [7] 



and in interactive configuration [13], among many others. Finally, different al- 
gorithms have been proposed over the years, examples of which include minimal 
model resolution [20], tableau calculus [18], Quantified Boolean Formula (QBF) 
solvers [5] and Disjunctive Logic Programming (DLP) [14,12,19]. 

The main contribution of this paper is to propose a new algorithm for solving 
the deduction problem for the propositional version of some CWR rules and for 
propositional circumscription. The new algorithm is based on iterative calls to 
a SAT solver, and is motivated by the practical success of modern SAT solvers. 
However, given the complexity class of entailment for CWR rules, a SAT solver 
can be expected to be called an exponential number of times in the worst case, 
or be required to process an exponentially large input. To cope with this issue, 
we utilize a technique inspired in counterexample guided abstraction refinement 
(CEGAR), widely used in model checking [3]. One of the key ideas of the new 
algorithm is that we try to prove a stronger formula, which is weakened if it turns 
out to be too strong. Based on this idea we develop an algorithm that decides 
entailment in circumscription. Further, we refine the algorithm to compute the 
closure of a formula defined by one of the variants of CWR, namely GCWA. 
As a result, the main contributions of the paper can be summarized as follows: 
(i) A novel algorithm for propositional circumscription that does not require 
an enumeration of all minimal models or prime implicates; (ii) Specialization of 
this algorithm to compute variables that are in all minimal models; and (iii) 
Computing the closure of GCWA. 

The paper is organized as follows. The next section introduces the notation 
and concepts used in the remainder of the paper. Section 3 introduces the com- 
putational problems addressed in the paper. The new algorithms are described in 
Sections 4, 5, and 6. The new algorithms are compared to alternative algorithms 
in Section 7. The paper concludes with directions for future research work. 



2 Preliminaries 

All variables are propositional, and represented by a finite set V. A Conjunctive 
Normal Form (CNF) formula </) is a conjunction of clauses, which are disjunctions 
of literals, which are possibly negated variables. A formula <p can also be viewed 
as a set of sets of literals. The two representations are used interchangeably in this 
paper. A clause is called positive, if it contains only positive literals. Arbitrary 
Boolean formulas will also be considered, for which the standard definitions 
apply. A variable assignment v is a total function from V to {0, 1}. In the text, 
a variable assignment is represented as {x\^ , . . . ,x% 1 } where V — {x\, . . . ,x n } 
and Vi £ {0,1}, i £ l..n. For a variable assignment v and a formula </> we write 
v |= <p to denote that v satisfies <j>. In this case, v is called a model of <fi. We write 
<p \= ip if the models of <j> are also models of rp. Given a set of variables S C V 
and v £ {0, 1}, the expression <p[S h4 v] denotes the formula <j> with all variables 
in S replaced with v. 



2.1 Minimal Models 



Minimal models are widely used in nonmonotonic reasoning and AI in general. 
To introduce minimal models, we consider the bitwise ordering on variable as- 
signments. For variable assignments v and \i we write v < ji and say that v is 
smaller than \i iff (Vx £ V){v{x) < fx(x)). We write v < fi and say that v is 
strictly smaller than \x iff v < /Lt and v fi. A model ^ of is a minimal model 
iff there is no model of <j> strictly smaller than v. Finally, we write <f> ^ m i n ift if 
tp holds in all minimal models of <f>. 

Proposition 1. The models of formula <f> that are strictly smaller than some 
variable assignment v are the models of the formula 

6 A A , s -ix aV,, ~>x (1) 
2.2 Closed World Reasoning 

The intuition behind closed world assumption (CWA) reasoning is that facts are 
not considered to be true unless they were specifically stated. This is motivated 
by the type of reasoning humans use on an everyday basis. For instance, if 
Alice asks Bob to buy eggs, Bob will clearly buy eggs. However, he will not 
buy bread even though Alice has not specified that the bread should not be 
bought. Traditional mathematical logic behaves differently in this respect: the 
fact buy-eggs trivially entails buy-eggs but does not entail the fact ->buy-bread. 

This intuition has been realized by several different formalisms. Here we 
present only a small portion of these formalisms and the interested reader is 
referred to appropriate publications for further reference [1,6,4]. 

The standard formulation of CWA rules partitions set V into three sets: P, Q 
and Z, where P denotes the variables to be minimized, Z are the variables that 
can change when minimizing the variables in P, and Q represents all other (fixed) 
variables. For any set R, R + and R~ denote, respectively, the sets of positive 
and negative literals from variables in R. Following [1,6], a closure operation is 
defined for CWR rules as follows: 

Definition 1. Let <f> be a propositional formula, (P;Q;Z) a partition ofV, and 
a a CWR-rule. Then, the closure of <f> with respect to a is defined by, 

a(4>; P; Q; Z) = <f> U {^K \ K is free for negation in <f> w.r.t. a} (2) 

Each CWR rule considers a different set of formulas that are free for negation. 
For each CWR rule below, a formula K is free for negation if and only if the 
corresponding condition holds: 

GCWA (Generalized CWA [17]): K is a positive literal and for every posi- 
tive clause B such that cj) ¥ B it holds that cj>¥ BV K. 

EGCWA (Extended GCWA [24]): K is a conjunction of positive literals and 
for every positive clause B such that <f> ¥■ B it holds that <fi)£ B\/ K, 



ECWA (Extended CWA [24]): K is an arbitrary formula not involving liter- 
als from Z, and for every positive clause B whose literals belong to P + UQ + UQ~ , 
such that <f> ¥ B, it holds that <j)¥ BV K. 

We consider only a subset of existing CWR rules. A detailed characterization 
for existing CWR rules can be found elsewhere [1,6,4]. 

Observe that a single positive literal is free for negation in both GCWA and 
EGCWA under the same conditions. Since a positive literal corresponds to some 
variable, we extend the terminology for variables accordingly. 

Definition 2. A variable x is free for negation in <f> iff for every positive clause 
B such that B it holds that (pY 1 B V v. 

Another concept closely related to closed world assumption is circumscrip- 
tion. Originally, McCarthy defined circumscription in the context of first order 
logic as a closure of the given theory that considers only predicates with mini- 
mal extension [15]. In propositional logic, circumscription of a formula yields a 
formula whose models are the minimal models of the original one. 

Definition 3. Consider the sets of variables P, Q and Z introduced above. The 
circumscription of a formula <p is defined as follows: 

CIRC{<l>;P;Q;Z) = <l>A(Vp, !Z ,)((<p(P';Q;Z')K(P' => P)) (P P')) (3) 

Where P' , Z' are sets of variables s.t. X' — {x' \ x G X}; <p(P' , Q, Z') is obtained 
from <p(P, Q, Z) by replacing the variables in P and Z by the corresponding 
variables in P' and Z' ; finally, P' => P stands for f\ xG p(x' x). 

In the remainder of the paper the sets Z and Q are assumed to be empty. The 
extension to the general case where these sets are not empty is simple, and is 
outlined in Appendix B. 

It is well-known that for the propositional case, circumscription is equivalent 
to ECWA [9]. Another well-known relationship is the one of both CWR rules 
and circumscription to minimal models (e.g. [17,1,6]). In particular variables 
free for negation take value in all minimal models. And, both EGCWA and 
circumscription entail the same set of facts as the set of minimal models. These 
relations are captured by the following propositions (adapted from [17,1,6]): 

Proposition 2. A variable x is free for negation in a formula (p iff x is assigned 
value in all minimal models of <f>. 

Proposition 3. Let <f> and -0 be formulas. It holds that EGCWA((f>) \= ib iff 
4> Hmin ip- And, it holds that CIRC((f>) \= ip iff 4> \= m i n ip- 

3 Problems 

The CWR rules yield the two following problems. The first problem consists of 
computing the closure of the theory, as defined by the CWR rule. The second 
problem is that of computing whether a certain fact is entailed by that closure. 



If the closure has been computed, standard satisfiability algorithms can be 
used to solve the entailment problem. However, whereas the closure of GCWA 
increases the size of the formula by at most a linear number of literals, the 
closure of both ECWA and EGCWA may increase the size of the formula by 
an exponential number of conjuncts of literals. The circumscription of a formula 
can be constructed easily but gives rise to a QBF formula and our objective is 
to stay within propositional logic with the ultimate goal of developing purely 
SAT-based solutions. Hence, this paper focuses on the following problems. 

Entails-Min 

instance: formulas <p and ip 

question: Does the formula ip hold in all minimal models of (pi 

Free-For-Negation 

instance: formula cp and variable x G V 

question: Does x take value in all minimal models of ipl 

Free-For-Negation-All 

instance: formula <p and a variable v £ V 

question: What is the set of variables with value in all minimal models of <p! 

Note that solving Entails-Min enables answering whether a fact is entailed 
by ECWA or by circumscription due to Proposition 3. Clearly, the problem 
Free-For-Negation is a special case of Entails-Min with ip set to ->x. Solv- 
ing Free-For-Negation-All gives us the closure of GCWA. 

Interestingly, in terms of complexity, the problem Free-For-Negation is 
not easier than the problem Entails-Min. Both Entails-Min and Free-For- 
Negation are TT^-complete [6, Lemma 3.1]. 

4 Computing Entails-Min 

The algorithm we wish to develop will be using a SAT solver. This gives us two 
objectives. One objective is to construct a propositional formula that corresponds 
to the validity of <p \=mm ip- The second objective is to avoid constructing an 
exponentially large formula. We begin by observing that if <p ^ m in ip is to hold, 
then any model of <p that violates ip must not be a minimal model. 

Proposition 4. ip holds in all minimal models of <p iff any model v of <p where 
->ip holds is not a minimal model of (p. 

[<P hmin Ip] O [(V*/) ((P h A ~-1p) => < V A V' h <P>))\ 

Proposition 4 tells us that whether <p |= m i n ip holds or not can be decided by 
deciding whether the following formula is valid: 



(Vi/) {{v |= cp A -V) =>■ {^'){v' < v A v' |= <p)) (4) 



Since our first objective is to find a prepositional formula, we need to elim- 
inate • |= • and quantifiers from (4). First, let us focus on the subformula 
(3z/)(z/ < v A v' \= 4>), which expresses that v is not a minimal model. 

Proposition 5. A model v of <f> is not minimal iff there exists a set S of vari- 
ables such that v is a model of (j)[S i— > 0], and v(x) — 1 for some i£S. 

(3i/)(z/ < v A v' \= 4>) (35 C V) {v |= 0[5 i-> 0] A (3a; e S)(i/(a:) = 1)) (5) 

Example I. Let = -ix V y. The model /i = {x°, y } is minimal and the right- 
hand side of (5) is invalid since there is no set S satisfying the condition (3a; € 
S)(v(x) — 1). Let v = {a; ,?/ 1 } and let us choose S — {x,y}, which yields 
4>[S <— > 0] = 1. v is not minimal and the right-hand side of (5) is valid since 
v \= 1 and v(y) = 1. 

Replacing the left-hand side of (5) with the right-hand side of (5) in (4) 
yields the following formula: 

(Vi/) {{v \= 4> A -V) =*> (35 C F) {v h 0[5 >-> 0] A (3a: e S)(y(x) = 1))) (6) 

Removing the universal quantifier and replacing existential quantifiers with 
the Boolean operator V in (6), gives us that (6) holds iff the following formula 
is a tautology: 

OM-VO^ V (^[s^o}a\/x] (7) 

S<=V(V) \ x£S ) 

Intuitively, (7) expresses that if i/j is violated in a model of <j>, then a different 
model of <f> is obtained by flipping a set of variables to 0. That this model is 
indeed different is guaranteed by the condition \J xe gX. The model obtained by 
the flipping serves as a witness of that the model violating tp is not minimal. 

If (7) is constructed, its validity can be decided by calling a SAT solver on 
its negation. However, the formula is too large to construct since it requires 
considering all subsets of V. Therefore, we construct a stronger version of it 
that considers only some subsets of V. This stronger version is referred to as the 
abstraction of (7) and always has the following form: 

(cf) A -it(>) =>- \f ( <f>[S h-> 0] A \f x J where W C V(V) (8) 
sew \ ties ) 

Each abstraction is determined by a set of sets of variables W. For any W, 
if the abstraction (8) is shown to be a tautology, then (7) is also a tautology 
and we are done because we have shown that <f> ^ m i n "0- If the abstraction is 
not a tautology, it is either because <p \= m i n ip does not hold or the abstraction 
is overly strong — it is too coarse. If the abstraction is shown to be too coarse, a 
different abstraction must be considered. 



input : formulas <j> and t[> 
output: true iff <j> \=mi n ip 

1 UJ i — A ~>1p 

2 while true do 



3 


(outci, u) SAT(cj) 




4 


if outci = false then 




5 


1 return true 


//no counterexample was found 


6 


(outC2, u') <— SAT (<MA, W= 


^ X A Vu(x)=l 11 f ind V ' <V 


7 


if outC2 = false then 


II v is minimal 


8 


|_ return false 


// abstraction cannot be refined 


9 


S {x £ V\v(x) = lf\v'(x 


) = 0} 


10 


_ W <-wAH[Sh»0]VA iES 


ni) // refine 



Algorithm 1: Refining 



Example 2. Let us show that ->x V y hmin "'J/- First, let us try Wi = {{y}}, 
which yields the abstraction V y) A y) =>• -ur. This abstraction is not a 
tautology. In particular, it is violated by the assignment {a; 1 ,?/ 1 }, which means 
that flipping y to value in this assignment does not yield a model. Now, let 
us try W 2 = which yields the abstraction ((^x V y) A y) => 1. This 

abstraction is a tautology, which means that any model where y is 1 can be turned 
into another model by flipping both x and y to 0. Therefore, ->x V y \= m m "'J/- 

Example 3. Let = ->x V ->y V —>z and ^ = (-ur V ->y) A (-ia; V -*z) A (-iz V -iy) 
Let us show that ^ m in V 1 - Let us choose the abstraction defined by the set 
W = {{x}, {y}}- The following diagram demonstrates that each model violating 
ijj has a witness corresponding to one of the sets in W. 

J I J ^K-nji Each triple represents a variable assignment 

where the elements represent the values of x, 
y, and z, respectively. Models and their per- 
taining witnesses are connected by an edge, 
which is labeled by the set of variables S whose 
values are flipped to to obtain the witness. 

The approach of searching for the right abstraction follows the Counter- 
Example Guided Abstract Refinement (CEGAR) loop [3]. If the abstraction is 
a tautology, the search terminates. If the abstraction is not a tautology, it is 
weakened by adding some set of variables S to the set W. This weakening is 
referred to as refinement and is done by investigating the counterexample that 
shows that the current abstraction is not a tautology. If it cannot be refined, (7) 
is not a tautology and <p ^ m i n ip does not hold. 

Algorithm 1 realizes the idea outlined above. The algorithm maintains the 
negation of the abstraction in variable u and starts with W being the empty 
set. Therefore the initial abstraction is (<f> A ->ip) with the negation being 
<p A -r0 (line 1). The test whether the abstraction is a tautology or not is done 



1 110 


101 


oil i 


1 I M 

! ioo 


010 
000 


11 ooi ; 



by calling a SAT solver on its negation (line 2). If the negation is unsatisfiable — 
the abstraction is a tautology — then the algorithm terminates and returns true 
(line 4). If a model v is found showing that the abstraction is not a tautology, 
it means that for any assignment that is obtained from v by flipping some set 
of variables in S € W to is not a model of (j>. The algorithm looks for a model 
v' that is strictly smaller than v applying Proposition 1 (line 7). If there is no 
model strictly smaller than v then the algorithm terminates and returns false 
since v is a minimal model and violates ip (line 9). If there is a model v' that 
is strictly smaller than z^, there is some set of variables that are 1 in v but are 
in v' . This set of variables is added to the sets determining the abstraction 
(line 9). Observe that a set S will be used at most once to refine the abstraction 
since once the set is added to W, an assignment for which flipping 1 to for 
variables in S yields a model cannot satisfy the negation of the abstraction. 
Consequently the algorithm is terminating and will perform at most as many 
iterations as there are subsets of the set V. 

5 Computing Free-For-Negation 

This section specializes Algorithm 1 to compute variables free for negation — 
variables that take value in all minimal models. As mentioned earlier, this 
problem is a special case of the problem Entails-Min, studied in the previous 
section: x is free for negation in </> iff </> |= m in ->x. However, focusing on this type 
of formulas enables a more efficient implementation of the algorithm. 

The abstractions used in the previous section have to contain the condition 
that at least one of the variables being flipped to is 1 to guarantee the cor- 
responding witnesses is strictly smaller (see (7)). For variables free for negation 
these conditions will not be needed thanks to the following proposition. 

Proposition 6. Let v be a model of <fi s.t. v(x) — 1 for a variable x. If x is free 
for negation, then there exists a model v 1 of (f> s.t. v' < v and V ' (x) = 0. 

Proposition 6 tells us that if v{x) = 1 and x is free for negation, there must 
be a witness v 1 that flips a; to (and possibly some other variables) . This ensures 
that v and v 1 are different. This observation enables us to compute (f> |= m i n ->x 
by determining the validity of a stronger and more concise formula than before. 

Proposition 7. A variable x is free for negation in <f> iff the following formula 
is a tautology. 

The abstraction of (9) is analogous to the one used in the previous section 
with the difference that only sets of variables containing x are considered. Hence, 
the abstraction always has the following form. 

((j> Ax) => \/ SeW (j>[S h-> 0], where W C V(V) and (VS S W)(x € S) (10) 



input : CNF formula and a variable x 
output: true iff |= m i n -<x 

1 0o 0[a; m> 0] 

2 0o <- {-fc V c I c 6 <M U H V r c | c £ O , Z G c} U |\/ ce0o -"" c 

3 io -h- A a; A O 

4 while true do 



5 


(outci, v) <- SAT(o;) 




6 


if outci = false then 




7 


L 


return true 


//no counterexample was found 


8 


(outc 2 , i/') <- SAT ^0 A -ix A A„ W =o _ 


2j // find v 1 < v and ^'(x) = 


9 


if outC2 = false then 




10 


L 


return false 


// abstraction cannot be refined 


11 


s < 


- {z G V\v{z) = l/\v'{z) = 0} 




12 


Cp 


<- {c G 0o | (c n 5) / 0} 


// clauses with some y £ S 


13 




<r- {CG 00 | (cn-5) 7^0} 


II clauses with some -<y G S 


14 


C < 


— {c' c G (C*„ \ C n ) Ac' = c[S ^ 


0]} // new clauses 


15 


w « 


-wU {-ir c V c | c G C} U {-■/ V r c 


c £ C,l £ c\ II representation 


16 


w + 


- w U {V ce ^ v( c„uc p ) v V c6C 


-ir c \ II negation of clauses 



Algorithm 2: Deciding whether a variable is free for negation 



5.1 Constructing and Refining Abstraction 

Whenever the abstraction is being refined (weakened) the size of the formula 
representing the negation of the abstraction increases. Since the abstraction 
is refined in the worst case exponentially many times, it is warranted to pay 
attention to the size of the formula representing the negation of the abstraction. 

The negation of an abstraction is a conjunct of the left-hand side of the 
implication and formulas capturing the substitutions. 

(0 A x) A /\ SeW ->(t>[S h> 0], where W C V{V) and (VS G W){x G S) (11) 

When the abstraction is being refined, a new set of variables S is added to the 
set W, therefore, the negation of the abstraction is strengthened by conjoining 
it with -«fr[S H> 0]. We aim to implement this strengthening without duplicating 
those parts of the formula that are already present. 

Algorithm 2 outlines this procedure. Since all the sets S must contain x, 
the algorithm starts with the abstraction determined by W — {{x}}. In the 
initialization phase, the negation of this abstraction is tfi A x A ^<fi[x i-> 0] and 
is computed using the Tseitin transformation [23]. Each clause c in <fi[x H> 0] 
is represented by a fresh variable r c and a clause is added that expresses that 
at least one of these variables must be (line 2). As in the previous section, 
variable u represents the negation of the abstraction (see (11)). 

When the abstraction is being refined, the formula in variable oj is conjoined 
with -«f>[S i — ^ 0]. Since to already contains clauses from -«fi[x 0], we need to 



consider only those clauses that contain literals on the variables in S. Clauses 
containing negative literals on variables from S are skipped, positive literals are 
removed. Each of the affected clauses is represented by a fresh Tseitin variable. 
Finally, a clause is added to express that one of the clauses in cf>[S i-> 0] is 0. 
Note that this clause is referring to the original Tseitin variables for the clauses 
that are not affected by the substitution besides the freshly created ones. Note 
that when looking for a model v' < v, the algorithm requires that x has value 
in v' since the set S must contain x (line 8). 

5.2 Finding Models 

An abstraction is refined according to two responses from the underlying SAT 
solver (y and v 1 ). This enables us to devise heuristics that prefer some responses 
of the solver to another. The motivation for these heuristics is to find abstractions 
where the set W determining the abstraction contains few sets S. Dually, this 
means that each of S € W yields a witness for many models. The heuristics used 
in the current implementation are motivated by the two following examples. 

Example 4- Let (p = (x y) A (w V z). The abstraction defined by W — {{x, y}} 
shows that 4> |= m in ~<y since flipping both x and y in any model yields a model (a 
witness). The abstraction determined by W = {{x,y, z}} is not sufficient. This 
abstraction provides a witness for models with w having value 1 but not for the 
others. Intuitively, variable z is irrelevant to the relation x y and therefore it 
is better to choose a small S. 

Example 5. Let <fi = x => (y V Wi V . . . w n ) and let us prove that <fi |= m i n ->y. 
The abstraction determined by W — {{x,y}} is sufficient. However, if v is not 
minimal, it may be that v = x , y , w\, . . . «;„ which gives us an exponential 
number of possibilities for v' while only one of them is desirable. Intuitively, if 
v is not minimal and there is some set S that yields a witness for both v and 
some v\ < v, then the set S is more likely to be found when v\ is inspected. 

Based on this last observation, the model v is required to be minimal. To 
make the difference between v and v' small, and therefore make this set S small, 
the solution v' is required to be a maximal model. 

To obtain a minimal, respectively maximal, model from a SAT solver is done 
by specifying the phase — the value that the solver prefers when making decisions 
when traversing the search space. Namely, preferring yields a minimal model 
while preferring 1 yields a maximal model [10,21]. 

6 Computing Free-For-Negation-All 

To calculate the set of variables that are free for negation, we invoke the al- 
gorithm described in the previous section for each variable. This procedure is 
optimized by conjoining the negations of the variables that have already been 
shown to be free for negation, which is justified by the following proposition. 



input : CNF formula <j> and a set of variables V 
output: subset of V that are free for negation 

F <- 
X <- V 

timeout <— initial-timeout 
while X yi do 

G <- 

foreach x in X do 

(success, outc) <— Free-For-Negation(<j!>, x, timeout) 
if success = true then 
G^Gu{x} 
if outc = true then 
F = FU{x} 
4> = </> A 

X <— X \ G 

timeout <s— k x timeout 

return F 

Algorithm 3: Computing the set of variables that are free for negation 

Proposition 8. Let (f> and ip be formulas such that <f> t= m i n ip- The formula </)Aij} 
has the same set of minimal models as <j>. In particular, if <fi (=min ->x then 

{(/) A -UE) |= min «if <l> hmin ~^/- 

The motivation for conjoining negations of variables free for negation is to 
give more information to subsequent inferences. The effectiveness of this tech- 
nique, however, depends on the ordering of the variables. Hence, the approach 
we use is to set timeouts for testing a single variable and if a test times out, the 
variable is tested again but with information gained from the other tests. 

Algorithm 3 summarizes these ideas in pseudocode. The algorithm described 
in the previous section is represented by the function Free-For-Negation, which 
returns a pair of values. The first value in the pair indicates whether the algo- 
rithm terminated before the given timeout or not. The second value of the pair 
indicates whether the given variable is free for negation or not. The timeout is 
gradually multiplied by some constant coefficient k. In the actual implementa- 
tion there is a maximum timeout for which the algorithm stops and returns an 
approximation of the set of variables free for negation. 

7 Evaluation 

Algorithm 3 was implemented in Java using SAT4j as the underlying SAT solver 
while availing of its incremental interface [22] . The implementation was evaluated 
on a benchmark of 260 tests 4 . A majority of these are valid software configu- 
rations (motivated by [13]). A few tests are from the SAT '09 competition — 



4 Available at http://logos.ucd.ie/confs/jelialO/jelialO-bench.tgz 



Table 1. Experimental evaluation 







Algorithm 3 


circ2dlp+gnt 




tests 


solved 


time[s] 


solved 


time[s] 


e-shop 


174 


174 


2.1 


95 


2.4 


BerkeleyDB 


30 


30 


0.9 


30 


< 0.1 


model-transf 


41 


41 


1.1 


35 


2.8 


SAT2009 


15 


3 


7.6 


2 


2.5 



relatively easy instances were chosen as the computed problem is significantly 
harder than satisfiability. The results appear in Table 1. An instance is consid- 
ered solved if the answer is given in less than 30 s. The time given in the table 
is the average for the solved instances. 

The alternative we tried was based on the tool circ2dlp [19], which trans- 
forms circumscription into a disjunctive logic program, and gnt [11], which lists 
all models of that program. From the list of models it is easy and fast to con- 
struct the set of variables that are free for negation. We also tried using a QBF 
solver along with (3), but that implementation solved none of the 260 tests. 

8 Summary and Future Work 

This paper proposes an algorithm for deduction under the set of minimal models 
of a propositional formula. This algorithm enables us to reason under the propo- 
sitional versions of close world assumption or circumscription. The algorithm 
hinges on an application of a SAT solver but more importantly on counterex- 
ample guided abstraction refinement (CEGAR). While CEGAR has been amply 
used in software verification [3,8], we are not aware of its application in nonmono- 
tonic reasoning. 

The deduction problem under the set of minimal models can be formulated as 
QBF [5] or as a DLP [14,12]. The experimental results suggest that current QBF 
solvers are not practical for this problem. The comparison to the DLP-based 
solution indicates that our dedicated algorithm enables solving more instances. 
Nevertheless, the DLP-based solution was faster for some instances. 

The promising experimental results indicate that the ideas behind the pre- 
sented algorithms have potential for further work. The evaluation was performed 
for the computation of variables free for negation defining the closure of a the- 
ory in GCWA, hence, further evaluations should be performed on other types of 
problems in this domain. On a more general scale, it is well known that minimal 
models can be seen as optima with respect to the pertaining ordering [2,21]. This 
opens possibilities to investigate generalizations of the presented algorithms for 
different orderings than the one used for minimal models. Last but not least, the 
comparison with the DLP-based solution indicates that it would be beneficial to 
investigate approaches tackling the problem with hybrid techniques. 
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A Proofs 



Proposition 1. The models of formula <f> that are strictly smaller than some 
variable assignment v are the models of the formula 

4> A f\ ~^x A \J -.x (1) 

v(x)=0 i/(x)=l 

Proof. Let v' be a model of (1). The assignment v' is a model of cf) because (1) 
is stronger than </>. The model v 1 is smaller than v because whenever v{x) = 
holds, v'{x) = holds as well due to the condition l\ v u.\— Q -*x. The model v' is 
strictly smaller than v because there must be at least one variable x for which 
v(x) — 1 and v'{x) = due to the condition \J ' < , =1 -*x. □ 

Proposition 4. A formula -0 holds in all minimal models of the formula cf) iff 
any model v of <fi where holds is not a minimal model of 4>. 

[0 hmin i>] & [(VV) ((1/ h A ^) => (3z/)(z/ < * A V' h ^))] 

Proof. In classical logic, for any assignment v either v |= r/> or f |= but not 
both. Let ^ |=miii ip and let z/ be a model such that v \= <j) A ->ip. Then v must 
not be minimal because v f= and therefore v would be a minimal model of 
(p not satisfying tp. 

If any model of <j> that satisfies is not minimal, then all the minimal 
models of (f> must satisfy if), n 

Proposition 5. Let ^ be a model of a formula 0. The model v is noi a minimal 
model of cf) iff there exists a set of variables S such that ^ is a model of the 
formula 4>[S \-> 0], and, v(x) = 1 for some ieS. 

(3z/)(z/ < v A v' \= <f>) (35 C F) (y \= tf>[S i-> 0] A (3x 6 S)(^(a;) = 1)) (5) 

Proof. If is not a minimal model of </>, then there exists some model v' such that 
v' < v. By definition, there exists some set of variables S such that v'{x) = 
and v{x) = 1 for x <E S, and, z^'(a;) = v{x) for x ^ S. Then y is a model of 
0[S i— ► 0] because v' is a model of <f> and z/ assigns to all variables in S. 

Let S be a a set of variables such that z^ |= ^[S 1 h-> 0] and (3a; e S)(v(x) = 1). 
Let us define the assignment z/ such that v'(x) = if a; G S and f'(a;) = v(x) 
otherwise. Then v' is a model of because <f>[S 0] corresponds to a partial 
evaluation of 0. The model v' is smaller than v because it differs only on the 
variables in S, where v' is 0. The model v' is strictly smaller than v because 
at least one of the variables from 5* are assigned the value 1 by v due to the 
condition (3a; G S)(y(x) — 1). Hence, v' <v and therefore v is not minimal. □ 

Proposition 6. Let v be a model of a formula <fi such that v{x) = 1 for a 
variable x. If the variable x is free for negation, then there exists a model v' of 
4> such that v' < v an z/(x) = 0. 



Proof. Since the set of considered variables V is finite, there are no infinitely 
decreasing chains in the ordering < and therefore for the model v there must be 
a model v' < v that is minimal. Since x is free for negation, it must have the 
value in such model v' . □ 

Proposition 8. Let <p and ip be formulas such that <p (=niin ip- The formula 
(p A ip has the same set of minimal models as the formula <p. In particular, if 
<P hmin ->x then (</> A ->x) |= mi „ ~>y iff <P hmin ^U- 

Proof. Since the formula ip holds in all minimal models of <j>, all the minimal 
models of <p are models oi<j>Aip. Since models of the formula (p A tp form a subset 
of the models of the formula ip, the minimal models of <p are also minimal in 
(p Alp. To show that any minimal model of (p A ip is also a minimal model of <p, 
consider for contradiction that there is an assignment v such that v is a minimal 
model of (p Atp but is not a minimal model of <p. Since v is not minimal in (p and 
there are no infinitely decreasing chains in <, there must be a minimal model v' 
of <p such that v 1 < v. Since v is minimal in (pAtp, v' is not a model of <p Atp but 
that is a contradiction because all minimal models of (p are also models of ip. □ 



B Deciding Entailment in Full ECWA 

The article presents an algorithm that enables us to decide whether a formula 
holds in all minimal models of another formula. This enables us to decide en- 
tailment for ECWA and circumscription with Q = Z = (see section 2). To 
provide a semantic characterization supporting arbitrary Q and Z , the concept 
of minimality of models is extended. 

Definition 4. Let P, Q, and Z be a partitioning of the variables V . For variable 
assignments v and fx, we write v <tp,z) A* '/ v { x ) = l l { x ) f or a ^ x £ Q, and, 
v(x) < fj.(x) for all x £ P. We write v <ip,z) M " v <(p.z) t 1 an d n °t A* ^(p.z) v ■ 
We write <p \=(p t z) ip iff ip holds in all models that are minimal with respect 
to the ordering <(p.z)- 

The entailment |=(P,z) corresponds to deduction from the closure defined 
by ECWA and analogously for circumscription [1]. So we focus on deciding 
<p \=(p.z) ip- Observe that (p \=(p,z) coincides with <p ^ m i n ip when Q = Z = 0. 
In terms of computational complexity, deciding <p |=(p,z) V' is n °t more difficult 
than deciding <p \= m [ n tp since both problems are TT^-complete [6]. 

We show that Algorithm I can be easily modified to decide tp \=ip t z) ip- The 
structure of the algorithm remains the same, hence here we focus on the form 
of the abstraction and how it is refined. Recall that the abstraction captures 
the statement that any model of <p that violates tp is not a minimal model. 
In particular, a smaller model can be found (see (8)). The following formula 
replicates the same idea for the minimality defined by <ip,z)- 



{cP A -V) =*> V ( S .z . Zl )ew W' 5 ^ 0, Z ^ 0, Z x ^ 1] A \/ xeS x) , 
where W C {(S, Z , Z x ) \ S C P, Z a C Z, Z x C Z} y ' 



In this case, the abstraction is defined by a set of triples for each of the 
triples determines which variables are flipped to and which are flipped to 1. 
Since variables from P can only be flipped to and variables from Q cannot be 
flipped at all, the right-hand side of the abstraction is indeed permitting only 
models smaller in the sense of <(p,z)- 

When the algorithm tries to refine the abstraction, it needs to find a model 
v 1 <(p,z) v i where v is a model of the negation of the abstraction. We observe 
that v' must be a model of the following formula. 

<M f\ niA \J niA y\ -,a;A f\ x (13) 
v(x)=or\xeP v(x)=ir\xeP v(x)=0AxeQ v(x)=ir\xeQ 

The abstraction is refined by adding a triple into the set W. The triple is 
defined by the following elements. 



S ={i|i£PA v{x) = 1 A u'(x) = 0} 
Z a = {x | x e Z A v{x) = 1 A v'{x) = 0} 
Z x = {x | x e Z A v{x) = A v'{x) = 1} 



(14) 



